Typical Web app is attacked 274 times a year, study finds

By Kathleen Hickey

Aug 13, 2012

For agencies that use Web applications to deliver information and services, “battle days” are nearly the norm.

A typical website application experiences an average of 274 attacks, on an average of 120 days, each year, with some getting as many as 2,766, according to the latest Imperva Web Application Attack Report (WAAR).

Imperva based its finding on observation and analysis of traffic going to 50 Web apps between December 2011 and May 2012, and although the security company didn’t specify which apps it studied, past studies have found government sites vulnerable to the kinds of attacks Imperva found.

What the report calls “battle days,” or days on which at least one attack hits an app, occur 33 percent of the time for typical applications, an average of once every three days. Some targets experience attacks 292 days per year, or nearly 80 percent of the time.

When attacks occur, they appear to be random, meaning defenders cannot count on having any advance notice. Attacks are burst-oriented and not normally distributed.

Attacks will consist of hundreds or even thousands of individual attack requests. Defense solutions and procedures should be designed to accommodate attack bursts.

The majority of requests and attackers originate in the United States, western European countries, China and Brazil, with the largest number of attack requests originating from IP addresses in the United States.

France, however, is the leading source of SQLi attacks -- four times greater than the United States.

"We believe that organizations that are only prepared for an average attack incident may be overwhelmed by larger attack incidents, like a flood bursting through a levy," said Amichai Shulman, CTO, Imperva, in a release.

Last year a separate study by application security provider Veracode found the most commonly exploited security holes in Web applications -- particularly cross-site scripting (XSS) and SQLi -- are more common on government websites than on those in other sectors.

SQLi vulnerabilities were found in 40 percent of government apps, compared with 29 percent for finance apps and 30 percent for software. And although incidences of SQLi were declining in other sectors, they were holding steady in government.

In April, gray-hat hacker group The Unknowns used SQLi to hack 10 websites, including NASA’s Glenn Research Center, the Defense Department’s Joint Pathology Center, the Air Force’s home page and a Harvard University research project, according to the group’s post, which did point out that most of the vulnerabilities had been patched.

Meanwhile, the Air Force’s program to expand its cyber warfare simulation center to more military commands, educational institutions and other federal agencies next January may face the axe due to the possibility of large budget cuts in the Defense Department.

Some Imperva recommendations to address these attacks include:

Preparefor worst-case scenarios, rather than the average.

Automatesecurity procedures and solutions as much as possible, since attack volumes are too overwhelming for humans and typically there will be no advance warning of an attack.

Simulateburst attacks to test the adequacy of security solutions and procedures.